From 7251d7384877894943e1cd2ac7cff5e0688a56c8 Mon Sep 17 00:00:00 2001
From: "ak@geant.org" <ak@geant.org>
Date: Fri, 13 Oct 2023 19:26:06 +0100
Subject: [PATCH 01/10] changes in the role cic_generic: replacing system-login
 and replacing system-dns stanzas

---
 .../roles/cic_generic/tasks/fix_template.yaml |  3 +-
 .../roles/cic_generic/tasks/main.yml          | 35 +++++++++++++++++--
 .../cic_generic/tasks/test_template.yaml      | 21 +++++++----
 .../roles/cic_generic/templates/system_dns.j2 | 15 ++++++++
 .../cic_generic/templates/system_login.j2     |  1 +
 .../roles/cic_generic/vars/main.yml           |  4 ++-
 6 files changed, 68 insertions(+), 11 deletions(-)
 create mode 100644 geant/ops_ansible/roles/cic_generic/templates/system_dns.j2

diff --git a/geant/ops_ansible/roles/cic_generic/tasks/fix_template.yaml b/geant/ops_ansible/roles/cic_generic/tasks/fix_template.yaml
index bcaf501..bb71812 100644
--- a/geant/ops_ansible/roles/cic_generic/tasks/fix_template.yaml
+++ b/geant/ops_ansible/roles/cic_generic/tasks/fix_template.yaml
@@ -14,4 +14,5 @@
 - name: Show diff of "{{ config_object }}"
   ansible.builtin.debug:
     msg: "{{ response }}"
-  when: verb == "fix" and not (dry_run | ansible.builtin.bool)
+  when: verb == "fix" and not (dry_run | ansible.builtin.bool) 
+
diff --git a/geant/ops_ansible/roles/cic_generic/tasks/main.yml b/geant/ops_ansible/roles/cic_generic/tasks/main.yml
index 3c862bc..e2c2746 100644
--- a/geant/ops_ansible/roles/cic_generic/tasks/main.yml
+++ b/geant/ops_ansible/roles/cic_generic/tasks/main.yml
@@ -9,7 +9,7 @@
   when: ((verb is not defined) or (config_object is not defined)) or (verb not in verbs) or (config_object not in config_objects.keys())
 
 - name: Fail if arguments are not correct
-  ansible.builtin.meta: end_play
+  meta: end_play
   when: ((verb is not defined) or (config_object is not defined)) or (verb not in verbs) or (config_object not in config_objects.keys())
 
 - name: Set an ID for this run
@@ -21,10 +21,39 @@
   ansible.builtin.debug:
     msg: "{{ opid }}"
 
+- name: Merge system login user vars
+  merge_vars:
+    suffix_to_merge: users__to_merge
+    merged_var_name: system_login_users
+    expected_type: 'list'
+
+- name: Merge system login classes vars
+  merge_vars:
+    suffix_to_merge: classes__to_merge
+    merged_var_name: system_login_classes
+    expected_type: 'list'
+
+- name: Merge snmp communities vars
+  merge_vars:
+    suffix_to_merge: snmp_communities__to_merge
+    merged_var_name: snmp_communities
+    expected_type: 'list'
+
+- name: Merge prefix lists
+  merge_vars:
+    suffix_to_merge: prefix_lists__to_merge
+    merged_var_name: po_prefixlists
+    expected_type: 'list'
+
 - name: Include compiling the template
-  ansible.builtin.include_tasks: compile_template.yaml
+  include_tasks: compile_template.yaml
   when: (verb in verbs)
 
 - name: Include the test tasks if specified
-  ansible.builtin.include_tasks: test_template.yaml
+  include_tasks: test_template.yaml
   when: verb == "test"
+
+- name: Include the test tasks if specified
+  include_tasks: fix_template.yaml
+  when: verb == "fix"
+
diff --git a/geant/ops_ansible/roles/cic_generic/tasks/test_template.yaml b/geant/ops_ansible/roles/cic_generic/tasks/test_template.yaml
index 4125f2b..0db0e76 100644
--- a/geant/ops_ansible/roles/cic_generic/tasks/test_template.yaml
+++ b/geant/ops_ansible/roles/cic_generic/tasks/test_template.yaml
@@ -1,5 +1,6 @@
 ---
-- name: Verify "{{ config_object }}" [CHECK ONLY]
+### This task will fail if commit-check fails
+- name: Test "{{ config_object }}" [CHECK ONLY]
   juniper_junos_config:
     load: "{{ config_objects[config_object].strategy }}"
     src: "/var/tmp/ansible_run_{{ opid }}/{{ config_object }}.conf"
@@ -8,20 +9,28 @@
     check: true
     commit: false
   register: response
-  when: verb == "test" and (dry_run | ansible.builtin.bool)
+  when: verb == "test" and dry_run | ansible.builtin.bool
 
+### This task never fails. It only shows differences if ther are any 
+### but commit-check in the previous task should succeed
 - name: Show DRY diff of "{{ config_object }}"
   ansible.builtin.debug:
     msg: "{{ response }}"
-  when: verb == "test" and (dry_run | ansible.builtin.bool) and (response.changed | ansible.builtin.bool)
+  when: verb == "test" and dry_run | ansible.builtin.bool and response.changed == true
+
+# ### This task will artificially fail if there is config that needs to be added or removed
+# - name: Fail if there are diffs
+#   ansible.builtin.fail:
+#     msg: "Running configuration is not the same as the intended"
+#   when: response.changed == true 
 
 - name: Send an e-mail using Geant SMTP servers
-  community.general.notification.mail:
+  mail:
     host: "{{ cic_alerts_mail_host }}"
     port: "{{ cic_alerts_smtp_port }}"
     sender: "{{ cic_alerts_sender }}"
     to: "{{ cic_alerts_recipient }}"
-    subject: "Config Integrity Check failed for {{ inventory_hostname }} on {{ config_object }}"
+    subject: "Config Integrity Check failed for {{ inventory_hostname }} on {{ config_object }}" 
     body: "{{ lookup('ansible.builtin.template', 'mail_body.j2') }}"
   delegate_to: localhost
-  when: (response.changed | ansible.builtin.bool) and (send_email | ansible.builtin.bool)
+  when: response.changed == true and (send_email | ansible.builtin.bool) == true
diff --git a/geant/ops_ansible/roles/cic_generic/templates/system_dns.j2 b/geant/ops_ansible/roles/cic_generic/templates/system_dns.j2
new file mode 100644
index 0000000..55251f6
--- /dev/null
+++ b/geant/ops_ansible/roles/cic_generic/templates/system_dns.j2
@@ -0,0 +1,15 @@
+system {
+{% if system_name_servers is defined %}
+  {% if system_name_servers|length > 1 %}
+  replace: name-server {
+  {%- for name_server in system_name_servers %}
+    {{ name_server }};
+    {%- endfor %}
+  }
+{% else %}
+  {%- for name_server in system_name_servers %}
+  replace: name-server {{ name_server }};
+  {% endfor %}
+  {% endif %}
+ {% endif %}
+}
diff --git a/geant/ops_ansible/roles/cic_generic/templates/system_login.j2 b/geant/ops_ansible/roles/cic_generic/templates/system_login.j2
index e76db0d..e7cbade 100644
--- a/geant/ops_ansible/roles/cic_generic/templates/system_login.j2
+++ b/geant/ops_ansible/roles/cic_generic/templates/system_login.j2
@@ -70,6 +70,7 @@ replace: login {
       {% endfor %}
       }
     {% endif %}
+    message "----------------------------------------------------------------\n\n This is {{ inventory_hostname }} a GEANT Router in {{ site_city }}, {{ site_country }}.\n Warning: Unauthorized access to this equipment is strictly forbidden and will lead to prosecution \n\n-------------------------------------------------------------\n";
  }
 }
 
diff --git a/geant/ops_ansible/roles/cic_generic/vars/main.yml b/geant/ops_ansible/roles/cic_generic/vars/main.yml
index b6cfa48..52d7c1b 100644
--- a/geant/ops_ansible/roles/cic_generic/vars/main.yml
+++ b/geant/ops_ansible/roles/cic_generic/vars/main.yml
@@ -25,4 +25,6 @@ config_objects:
   system_ntp:
     strategy: replace
   system_login:
-    strategy: merge
+    strategy: replace
+  system_dns:
+    strategy: replace
-- 
GitLab


From 97260c89b61bc6c79820751128f7ff84475a55e1 Mon Sep 17 00:00:00 2001
From: "ak@geant.org" <ak@geant.org>
Date: Fri, 13 Oct 2023 19:57:20 +0100
Subject: [PATCH 02/10] cosmetic change to the manage_global_prefix_list
 main.yaml task

---
 .../ops_ansible/roles/manage_global_prefix_lists/tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/geant/ops_ansible/roles/manage_global_prefix_lists/tasks/main.yml b/geant/ops_ansible/roles/manage_global_prefix_lists/tasks/main.yml
index 4191e3b..38a41fb 100644
--- a/geant/ops_ansible/roles/manage_global_prefix_lists/tasks/main.yml
+++ b/geant/ops_ansible/roles/manage_global_prefix_lists/tasks/main.yml
@@ -57,7 +57,7 @@
     subject: "Config Integrity Check failed for {{ inventory_hostname }} on prefix-lists"
     body: "{{ lookup('ansible.builtin.template', 'mail_body.j2') }}"
   delegate_to: localhost
-  when: (response.changed | ansible.builtin.bool) and ( send_email | ansible.builtin.bool )
+  when: response.changed == true and ( send_email | ansible.builtin.bool )
 
 - name: Deploy global prefix list [AND COMMIT]
   juniper_junos_config:
-- 
GitLab


From 563e90a38c69fdd4c13cb3dd5cbaa318617b7ed6 Mon Sep 17 00:00:00 2001
From: "ak@geant.org" <ak@geant.org>
Date: Fri, 13 Oct 2023 21:31:49 +0100
Subject: [PATCH 03/10] Update changelog for v 1.0.5

---
 geant/ops_ansible/CHANGELOG.md | 33 ++++++++++++++++++++++++---------
 1 file changed, 24 insertions(+), 9 deletions(-)

diff --git a/geant/ops_ansible/CHANGELOG.md b/geant/ops_ansible/CHANGELOG.md
index 935129e..4d7ddeb 100644
--- a/geant/ops_ansible/CHANGELOG.md
+++ b/geant/ops_ansible/CHANGELOG.md
@@ -1,9 +1,24 @@
-# Changelog
-## 1.0.4 2023-08-04
-- Changes in the role 'cic_generic':
-    - Added support for fixing a stanza: a new verb 'fix' to work with the fix_template.
-    - Added support for Junos 'system_login' stanza.
-## 1.0.3 2023-08-02
-- Added cic_generic role to manage the test of arbitrary templates against the network.
-- Config push strategy is now template-dependant: you should decide if you want a replace or a merge
-- Added email generation for test runs that generates differences
+Changelog
+=========
+1.0.5 2023-10-13
+
+Changes in the role 'cic_generic':
+
+- system_login stanza is in the 'replace' mode.
+- Added support for system_dns stanza
+
+
+1.0.4 2023-08-04
+
+Changes in the role 'cic_generic':
+
+Added support for fixing a stanza: a new verb 'fix' to work with the fix_template.
+Added support for Junos 'system_login' stanza.
+
+
+
+1.0.3 2023-08-02
+
+Added cic_generic role to manage the test of arbitrary templates against the network.
+Config push strategy is now template-dependant: you should decide if you want a replace or a merge
+Added email generation for test runs that generates differences
-- 
GitLab


From 4ba3f6abd03704defa7b1a52874b1f8f49bb1088 Mon Sep 17 00:00:00 2001
From: "ak@geant.org" <ak@geant.org>
Date: Fri, 13 Oct 2023 21:46:10 +0100
Subject: [PATCH 04/10] fixing linting

---
 geant/ops_ansible/roles/cic_generic/tasks/fix_template.yaml | 2 +-
 geant/ops_ansible/roles/cic_generic/tasks/main.yml          | 1 -
 .../ops_ansible/roles/cic_generic/tasks/test_template.yaml  | 6 +++---
 3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/geant/ops_ansible/roles/cic_generic/tasks/fix_template.yaml b/geant/ops_ansible/roles/cic_generic/tasks/fix_template.yaml
index bb71812..dbe13be 100644
--- a/geant/ops_ansible/roles/cic_generic/tasks/fix_template.yaml
+++ b/geant/ops_ansible/roles/cic_generic/tasks/fix_template.yaml
@@ -14,5 +14,5 @@
 - name: Show diff of "{{ config_object }}"
   ansible.builtin.debug:
     msg: "{{ response }}"
-  when: verb == "fix" and not (dry_run | ansible.builtin.bool) 
+  when: verb == "fix" and not (dry_run | ansible.builtin.bool)
 
diff --git a/geant/ops_ansible/roles/cic_generic/tasks/main.yml b/geant/ops_ansible/roles/cic_generic/tasks/main.yml
index e2c2746..746776e 100644
--- a/geant/ops_ansible/roles/cic_generic/tasks/main.yml
+++ b/geant/ops_ansible/roles/cic_generic/tasks/main.yml
@@ -56,4 +56,3 @@
 - name: Include the test tasks if specified
   include_tasks: fix_template.yaml
   when: verb == "fix"
-
diff --git a/geant/ops_ansible/roles/cic_generic/tasks/test_template.yaml b/geant/ops_ansible/roles/cic_generic/tasks/test_template.yaml
index 0db0e76..51173d8 100644
--- a/geant/ops_ansible/roles/cic_generic/tasks/test_template.yaml
+++ b/geant/ops_ansible/roles/cic_generic/tasks/test_template.yaml
@@ -11,7 +11,7 @@
   register: response
   when: verb == "test" and dry_run | ansible.builtin.bool
 
-### This task never fails. It only shows differences if ther are any 
+### This task never fails. It only shows differences if ther are any
 ### but commit-check in the previous task should succeed
 - name: Show DRY diff of "{{ config_object }}"
   ansible.builtin.debug:
@@ -22,7 +22,7 @@
 # - name: Fail if there are diffs
 #   ansible.builtin.fail:
 #     msg: "Running configuration is not the same as the intended"
-#   when: response.changed == true 
+#   when: response.changed == true
 
 - name: Send an e-mail using Geant SMTP servers
   mail:
@@ -30,7 +30,7 @@
     port: "{{ cic_alerts_smtp_port }}"
     sender: "{{ cic_alerts_sender }}"
     to: "{{ cic_alerts_recipient }}"
-    subject: "Config Integrity Check failed for {{ inventory_hostname }} on {{ config_object }}" 
+    subject: "Config Integrity Check failed for {{ inventory_hostname }} on {{ config_object }}"
     body: "{{ lookup('ansible.builtin.template', 'mail_body.j2') }}"
   delegate_to: localhost
   when: response.changed == true and (send_email | ansible.builtin.bool) == true
-- 
GitLab


From 9fafb4104a2b081d50b006ecfde56cc1a66fad4f Mon Sep 17 00:00:00 2001
From: "ak@geant.org" <ak@geant.org>
Date: Fri, 13 Oct 2023 21:53:57 +0100
Subject: [PATCH 05/10] Fixing modules FQCN

---
 geant/ops_ansible/roles/cic_generic/tasks/main.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/geant/ops_ansible/roles/cic_generic/tasks/main.yml b/geant/ops_ansible/roles/cic_generic/tasks/main.yml
index 746776e..7c26c1e 100644
--- a/geant/ops_ansible/roles/cic_generic/tasks/main.yml
+++ b/geant/ops_ansible/roles/cic_generic/tasks/main.yml
@@ -9,7 +9,7 @@
   when: ((verb is not defined) or (config_object is not defined)) or (verb not in verbs) or (config_object not in config_objects.keys())
 
 - name: Fail if arguments are not correct
-  meta: end_play
+  ansible.builtin.meta: end_play
   when: ((verb is not defined) or (config_object is not defined)) or (verb not in verbs) or (config_object not in config_objects.keys())
 
 - name: Set an ID for this run
@@ -46,13 +46,13 @@
     expected_type: 'list'
 
 - name: Include compiling the template
-  include_tasks: compile_template.yaml
+  ansible.builtin.include_tasks: compile_template.yaml
   when: (verb in verbs)
 
 - name: Include the test tasks if specified
-  include_tasks: test_template.yaml
+  ansible.builtin.include_tasks: test_template.yaml
   when: verb == "test"
 
 - name: Include the test tasks if specified
-  include_tasks: fix_template.yaml
+  ansible.builtin.include_tasks: fix_template.yaml
   when: verb == "fix"
-- 
GitLab


From cd17ef4dbf38093832d164be0ab126e8b45a4fad Mon Sep 17 00:00:00 2001
From: "ak@geant.org" <ak@geant.org>
Date: Fri, 13 Oct 2023 21:58:09 +0100
Subject: [PATCH 06/10] Fix FQCN of mail module

---
 .../ops_ansible/roles/manage_global_prefix_lists/tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/geant/ops_ansible/roles/manage_global_prefix_lists/tasks/main.yml b/geant/ops_ansible/roles/manage_global_prefix_lists/tasks/main.yml
index 38a41fb..792ee88 100644
--- a/geant/ops_ansible/roles/manage_global_prefix_lists/tasks/main.yml
+++ b/geant/ops_ansible/roles/manage_global_prefix_lists/tasks/main.yml
@@ -49,7 +49,7 @@
   when: verb == "deploy" and ( dry_run | ansible.builtin.bool )
 
 - name: Send an e-mail using Geant SMTP servers
-  community.general.notification.mail:
+  community.general.mail:
     host: "{{ cic_alerts_mail_host }}"
     port: "{{ cic_alerts_smtp_port }}"
     sender: "{{ cic_alerts_sender }}"
-- 
GitLab


From 9e030aad627d02ac34225c61daa35b0a2a88d549 Mon Sep 17 00:00:00 2001
From: "ak@geant.org" <ak@geant.org>
Date: Mon, 16 Oct 2023 15:00:13 +0100
Subject: [PATCH 07/10] Fixes: bools checks and FQCNs

---
 geant/ops_ansible/roles/cic_generic/tasks/fix_template.yaml  | 1 -
 geant/ops_ansible/roles/cic_generic/tasks/test_template.yaml | 4 ++--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/geant/ops_ansible/roles/cic_generic/tasks/fix_template.yaml b/geant/ops_ansible/roles/cic_generic/tasks/fix_template.yaml
index dbe13be..bcaf501 100644
--- a/geant/ops_ansible/roles/cic_generic/tasks/fix_template.yaml
+++ b/geant/ops_ansible/roles/cic_generic/tasks/fix_template.yaml
@@ -15,4 +15,3 @@
   ansible.builtin.debug:
     msg: "{{ response }}"
   when: verb == "fix" and not (dry_run | ansible.builtin.bool)
-
diff --git a/geant/ops_ansible/roles/cic_generic/tasks/test_template.yaml b/geant/ops_ansible/roles/cic_generic/tasks/test_template.yaml
index 51173d8..9fd4d68 100644
--- a/geant/ops_ansible/roles/cic_generic/tasks/test_template.yaml
+++ b/geant/ops_ansible/roles/cic_generic/tasks/test_template.yaml
@@ -25,7 +25,7 @@
 #   when: response.changed == true
 
 - name: Send an e-mail using Geant SMTP servers
-  mail:
+  community.general.mail:
     host: "{{ cic_alerts_mail_host }}"
     port: "{{ cic_alerts_smtp_port }}"
     sender: "{{ cic_alerts_sender }}"
@@ -33,4 +33,4 @@
     subject: "Config Integrity Check failed for {{ inventory_hostname }} on {{ config_object }}"
     body: "{{ lookup('ansible.builtin.template', 'mail_body.j2') }}"
   delegate_to: localhost
-  when: response.changed == true and (send_email | ansible.builtin.bool) == true
+  when: (response.changed | ansible.builtin.bool) and (send_email | ansible.builtin.bool)
-- 
GitLab


From 2710531fd293c60eb2d874f3a6691f67bc1c9b3a Mon Sep 17 00:00:00 2001
From: Aleksandr Kurbatov <aleksandr.kurbatov@geant.org>
Date: Fri, 20 Oct 2023 11:13:05 +0000
Subject: [PATCH 08/10] Update .ansible-lint -   'var-naming[no-role-prefix]'

---
 .ansible-lint | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.ansible-lint b/.ansible-lint
index 00671fe..2f674e4 100644
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -3,3 +3,4 @@ skip_list:
   - 'role-name[path]' # Avoid using paths when importing roles.
   - 'meta-runtime[unsupported-version]' # requires_ansible key must be set to a supported version.
   - 'meta-unsupported-ansible'  # Required ansible version in meta/runtime.yml must be a supported version.
+  - 'var-naming[no-role-prefix]'
-- 
GitLab


From 30fb8e5583f2fb86c632319a863c39e08fdddede Mon Sep 17 00:00:00 2001
From: "ak@geant.org" <ak@geant.org>
Date: Fri, 20 Oct 2023 12:16:26 +0100
Subject: [PATCH 09/10] fixed literal comparison

---
 geant/ops_ansible/roles/cic_generic/tasks/test_template.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/geant/ops_ansible/roles/cic_generic/tasks/test_template.yaml b/geant/ops_ansible/roles/cic_generic/tasks/test_template.yaml
index 9fd4d68..ed7f423 100644
--- a/geant/ops_ansible/roles/cic_generic/tasks/test_template.yaml
+++ b/geant/ops_ansible/roles/cic_generic/tasks/test_template.yaml
@@ -16,7 +16,7 @@
 - name: Show DRY diff of "{{ config_object }}"
   ansible.builtin.debug:
     msg: "{{ response }}"
-  when: verb == "test" and dry_run | ansible.builtin.bool and response.changed == true
+  when: verb == "test" and (dry_run | ansible.builtin.bool) and (response.changed | ansible.builtin.bool)
 
 # ### This task will artificially fail if there is config that needs to be added or removed
 # - name: Fail if there are diffs
-- 
GitLab


From a530c400071748c05d7698b46662a957e1d8492a Mon Sep 17 00:00:00 2001
From: "ak@geant.org" <ak@geant.org>
Date: Fri, 20 Oct 2023 12:19:43 +0100
Subject: [PATCH 10/10] fixing another literal comparison

---
 .../ops_ansible/roles/manage_global_prefix_lists/tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/geant/ops_ansible/roles/manage_global_prefix_lists/tasks/main.yml b/geant/ops_ansible/roles/manage_global_prefix_lists/tasks/main.yml
index 792ee88..de3f336 100644
--- a/geant/ops_ansible/roles/manage_global_prefix_lists/tasks/main.yml
+++ b/geant/ops_ansible/roles/manage_global_prefix_lists/tasks/main.yml
@@ -57,7 +57,7 @@
     subject: "Config Integrity Check failed for {{ inventory_hostname }} on prefix-lists"
     body: "{{ lookup('ansible.builtin.template', 'mail_body.j2') }}"
   delegate_to: localhost
-  when: response.changed == true and ( send_email | ansible.builtin.bool )
+  when: (response.changed | ansible.builtin.bool) and ( send_email | ansible.builtin.bool )
 
 - name: Deploy global prefix list [AND COMMIT]
   juniper_junos_config:
-- 
GitLab